This is the first time this has ever happened. Note: I don’t actually use explorer.exe, I’ve changed the name as a security measure.
Now, I looked at my incoming connections, and there was one from 192.168.1.200 (my wireless router) with a few 10s of KBs of transfer. No one here was on the wireless network at the time. A couple of days ago, 192.168.1.200 tried to access my windows file shares… is this normal behaviour for a router?
I don’t know if this is related, but I installed MobaSSH today so I can ssh into my computer from outside - thought it would be cool, but not 6 hours after it was installed I had my first intrusion attempt.
o I traced that first IP, it came from China (which doesn’t narrow it down too much) but I don’t know anyone in China so I’m considering it an intrusion attempt. Thank you Defence+!
o That second IP is my modem router, I don’t know why it would be accessing my machine via port 22. Does anyone know if this is normal behaviour for a router?
So, my questions:
- How do I find out what caused the shellcode injection?
- Are my routers behaving normally? Or do I need to mess around with them?
- I’ve remapped my SSH port from 22 to something non-standard - is this enough or should I take additional measures?
- What should I do if I receive suspicious connections in the future? Is blocking it enough?
Thanks heaps in advance.
I wasn’t 100% sure which board to post this on, but this one looked appropriate.